Month: November 2017

Some Sites where you can get great Security Information

FBI InfaGard a connection between the Public and private
sectors to share information, Chapter are all over the USA go to here  for More information


DNSstuff performs forensic analysis of name
and email servers, path analysis, authenticate and locate domains..
Go
here

 Internet Storm Center great information about
current issues go here

 

Verizon Data Breach Investigations
report – go here
 

Cisco Threat Research Blog go here

FireEye lots of information about security issues go here  

Microsoft Security Blog go here

Microsoft Security Intelligence Report (SIR), great read on state
of security go here

 

NCI
Sector-based Information Sharing and Analysis Centers (ISACs) collaborate and
coordinate with each other via the National Council of ISACs (NCI). Formed in
2003, the NCI today comprises 24 organizations designated by their sectors as
their

MacOS 10.13.1 – Root vulnerability allows new ADMIN account without password

Apple is in process of
building an emergency patch to lock down the “root” account where a preset
password does not exist.  In certain settings, the “MacOS
10.13.1 Root vulnerability” allows a missing
password challenge to be fully worked around.  That allows user
accounts to be reset, allowing full compromise of vulnerable systems. 
This bug is serious and believe Apple with quickly rectify with an expedient
“patch now” update  
The hack is easy to pull off. It can be triggered through the
Mac’s System Preferences application when “Users & Groups”
is selected, and the lock icon on the window is clicked. After that, a new
login window will appear. Anyone who types “root” as the username, leaves the
password field empty, and clicks unlock (once or twice) is on their way to a
new account that has system admin privileges to the computer.

 

Amit Serper, a security researcher with Cybereason, replicated the
result and said the bug “is as serious as it
gets.”  Hackers are always crafting malware that can
gain greater system privileges into a computer. Now they have a new way, which
can also be triggered via a Mac’s command line function. Imagine a piece of
malicious code designed to attack Macs using the same flaw. Users wouldn’t even
know they were compromised, Serper said.

 

WORKAROUND – Allocate
& preset “ROOT” account to password ahead of time instead of leaving unset
as null value

 

IcedID: A Hot New Item

 

In September of 2017 X-Force
researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks,
payment card providers, and e-commerce sites. IcedID utilizes Emotet for
delivery to target hosts.

 

Emotet is most commonly linked to
small cybercrime organizations in Eastern Europe targeting western countries

and is known as a successor of the Dridex
malware that was designed to amass and maintain botnets. Emotet itself is most
often delivered by opening a macro-enabled malicious file usually delivered by
spam mail. Once executed, the malware embeds itself within normal machine
processes, connects home, and installs additional modular components as
directed. Of the components installed consists of spamming modules, network
worm modules, and data stealers.

 

The main known tactics and
techniques of IcedID consist of common network propagation, victim monitoring,
and web URL tampering. More specifically the malware leverages a local web
proxy which listens to web traffic and based on what it sees can unknowingly
redirect or inject parameters to the victim which causes them to browse to
malicious web content controlled by the attacker instead of the original content
they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork
function, which enumerated the network propagation module that allows the
malware to affect local, or remote connected end points as a way of spreading
to other systems. Additionally, IcedID can query LDAP looking for other users
to attack and can look for other important information to send back to the
command and control server.

 

As a way of hiding itself IcedID utilizes
a full reboot after storing start up files to the Windows %LocalAppData% folder
to evade sandboxes and other defenses on victim hosts. Additionally, the
malware uses SSL to communicate home and launch its attacks to avoid intrusion
detection systems planted within the victim infrastructure. The malware also
uses a random value as the RunKey to establish persistence on the target host.
As an example, the startup file would be “C:UsersUserAppDataLocalewonlia rlewonliarl.exe”
and the Runkey would be at “HKCUSoftwareMicrosoftWindowsC urrentVersionRunewonliarl”.
IcedID listens on local network port 49157 and exfiltrates victim information
of its choosing to its command and control server. Interestingly enough IcedID can
still be identified by its original process IcedID which continues to run even
after reboot which researchers think will likely change in the future.

Sources:

 
Thanks to  Peraton  and their Cyber Intelligence Program (CIP) for this information.

 

 

 

 

Almost 200.000 Cisco switches exposed to malicious attacks

here information from Talos http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html

Cisco Coverage for Smart Install Client Protocol Abuse

Summary
Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.
We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.
Protection
 
To assist customers in understanding their exposure to this issue, we have released our own scanning tool as well as preliminary Snort rules which can be used to identify affected systems and detect SIET activity.

Talos Scanning Utility


Talos has produced a scanning utility which all users can run against their infrastructure to determine if they could be affected by abuse of the Smart Install Client Protocol. This tool can be found here.


Coverage


Snort Rules

Talos has created coverage for this issue in the form of sids 41722-41725. These rules are being provided immediately as part of the community rule set and can be downloaded here:
Cisco FirePOWER and Snort Subscriber Rule Set customers should ensure they are running the latest rule update in order to receive coverage. 
Additionally, generic TFTP activity rules sid:518 and sid:1444 are available but these are not issue specific and must be explicitly enabled.

Further Information

Cisco PSIRT has published a blog post related to the issue here:

Further guidance on Smart Install security practices here:

Additional third-party research about Smart Install is available here:

Talos encourages all partners to quickly take steps to protect their systems in accordance with the published security guidelines. 
If you have a network security emergency, contact the Cisco Technical Assistance Center (TAC) at the following phone numbers:
Inside the United States or Canada: +1 800 553-2447
Outside the United States: Worldwide Contacts

Cisco responds quickly to attacks in progress and works with your staff to develop an incident response plan that minimizes the effect of current and future attacks.

Here some new Technology that i have come across

PuriFile

PuriFile’s software suite provides market-leading inspection
and sanitization of digital files, preventing the loss of critical data and
ensuring business continuity for government and commercial customers. Built to
protect your inbox and halt release of sensitive information, PuriFile
inherently understands your email, Microsoft Word, PowerPoint, Excel, PDF, and
image files, so it can provide thorough email and file inspection and
sanitization while maintaining the integrity of your network and information.

Microsoft Exchange Server (MXS) is a collaborative
enterprise server application designed by Microsoft to run on Windows Servers.
MXS supports organizational email, contacts and tasks, calendar, data storage
and web based and mobile information access. By residing on an organizational
endpoint – the Exchange Server, PuriFile can provide email security through identification
and remediation of content entering and exiting through your organizations
communication lifeline, provide Data Loss Prevention and mitigate Zero-Day
attacks.

How it Works

Exchange Server Plugins – Microsoft provides an Application
Programming Interface (API), as well as information and resources to extend
Microsoft Exchange Server allowing for the customization of a unique customer
focused email environment.

PuriFile Exchange Plugin – Using the Exchange Server API, the
PuriFile plugin provides Data Loss Prevention, limits Zero-Day attacks and
controls content leaving an organization. 
Highly configurable, PuriFile is capable of identifying content within
email and attachments based on well-defined policies and takes corrective
action to alert the recipient and sender to remediate violations.

Message Scanning – Residing on a corporate exchange server,
PuriFile is capable of scanning incoming and outgoing email to identify suspect
content based on an organizational policy. When an individual receives an email
or attempts to send email to a recipient, the PuriFile engine scans the content
and attachments checking for violations. In the event a violation is detected,
the recipient/sender is alerted and is able to take corrective action to accept
or modify the content prior to it being received or sent to the recipient:

Figure 1: Scan Mode
Removing Attachments – In addition to the normal email
message scanning, PuriFile is able to provide scanning and insight into content
residing in email attachments. When an individual receives or completes an
email and attempts to send it to the recipient, PuriFile scans the message
along with any attachments and checks for violations. In the event of a
violation in the attachment, the PuriFile engine replaces the content with a
text file identifying the violations. A return notification is sent back to the
sender along with the text file of violations. 
The user will then be given an opportunity to review the violations and
address as appropriate. Once all violations are addressed, the email is
reprocessed for reading or sent on to the recipient:

Figure 2: Attachment Mode

 Message Cleansing – The Message Cleansing mode is similar to
Replacing Attachments mode. Rather than alerting the recipient/sender of
content in violation, the Message Cleansing capability cleanses the offending
content from the document. When an individual receives or completes an email
and attempts to send it to the recipient, PuriFile scans the message along with
any attachments and checks for violations. In the event of a violation in the
attachment, the PuriFile engine removes the content from the file prior to
reading or sending the offending file.

Figure 3 – Cleanse Mode

 

The added effect of the cleansing operation removes any
malicious content, effectively halting in excess of 90% of zero-day attacks.
Combined with an effective Anti-Virus/Anti-Malware solution organizations will
have gained the upper hand on virulent viruses and malware.
 
Here is a cool offer if you interested  in testing this let me know i will forward you info to the Beta test team. They are offering   to get the software for 12 months (plus
support) for doing the beta test for us.
 
Send email to Jferron @ Interactive Security Training.com (NO spaces)

 

 

Windows 10 Version 1709 and Hyper-v Issue

Hyper-V virtual machines don’t start after you upgrade to Windows 10 Version 1709
This is a know issue that is caused  by Antivirus programs.
Bellow is the Microsoft Solution and article.

Symptoms

Consider the following scenario:
  • You have a Windows 10-based computer that has the Hyper-V role installed.
  • You upgrade the computer to Windows 10 Version 1709.
In this scenario, you cannot start virtual machines. Also, you receive the following error message:
Start-VM : ‘VM_NAME’ failed to start. (Virtual machine ID XXXXXX)
‘VM_NAME’ failed to start worker process: %%3228369022 (0xC06D007E). (Virtual machine ID XXXXXXX)
At line:1 char:1
+ Start-VM VM_NAME
+ ~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Start-VM], VirtualizationException
    + FullyQualifiedErrorId : OperationFailed,Microsoft.HyperV.PowerShell.Commands.StartVM

Additionally, you see the following entry in the System log:
The Hyper-V Host Compute Service service terminated unexpectedly.  It has done this 11 time(s).

And you see the following entry in the Application log:
Faulting application name: vmcompute.exe, version: 10.0.16299.15, time stamp: 0x1a906fe6
Faulting module name: vmcompute.exe, version: 10.0.16299.15, time stamp: 0x1a906fe6
Exception code: 0xc0000005
Fault offset: 0x000000000000474b
Faulting process id: 0x3d78
Faulting application start time: 0x01d34d80559647e6
Faulting application path: C:WINDOWSsystem32vmcompute.exe
Faulting module path: C:WINDOWSsystem32vmcompute.exe
Report Id: 0ec19ef4-d52a-4135-ae72-5cba92ec909f
Faulting package full name:
Faulting package-relative application ID:
Response: Not available
Cab Id: 0
Problem signature:
P1: vmcompute.exe
P2: 10.0.16299.15
P3: 1a906fe6
P4: vmcompute.exe
P5: 10.0.16299.15
P6: 1a906fe6
P7: c0000005
P8: 000000000000474b
P9:
P10:
Attached files:
\?C:ProgramDataMicrosoftWindowsWERTempWER98A7.tmp.mdmp
\?C:ProgramDataMicrosoftWindowsWERTempWER9974.tmp.WERInternalMetadata.xml
\?C:ProgramDataMicrosoftWindowsWERTempWER9981.tmp.csv
\?C:ProgramDataMicrosoftWindowsWERTempWER99C1.tmp.txt
\?C:WindowsTempWER99C3.tmp.appcompat.txt
C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_vmcompute.exe_101d36662442e0c1debf6dea58c1dd187cc5_51a43a19_cab_332099dfmemory.hdmp
These files may be available here:
C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_vmcompute.exe_101d36662442e0c1debf6dea58c1dd187cc5_51a43a19_cab_332099df
Analysis symbol:
Rechecking for solution: 0
Report Id: 0ec19ef4-d52a-4135-ae72-5cba92ec909f
Report Status: 4
Hashed bucket:
 

Cause

This issue occurs because Windows 10 Version 1709 enforces a policy that configures Vmcompute.exe not to allow any non-Microsoft DLL files to be loaded.

Resolution

To fix this issue, check whether you have a non-Microsoft DLL file loaded in the Vmcompute.exe process. One possible cause of this issue is your antivirus software.